APPENDIX A ■ ■ ■ SSH Client Alternatives

The core material of this book is focused on UNIX/-based OpenSSH systems. This involves typing instructions the -line prompt to perform an SSH connection. However, sometimes a graphical client offers an ideal alternative to the command-line client because it requires a lower learning curve for end users. Additionally, graphical clients can allow a Windows to connect to a UNIX or Linux machine via SSH without involving a command-line interface. Using the OpenSSH client, the client options are configured through the system-wide ssh_config file and the individual user’s $HOME/.ssh/config file. When using graphical clients, the options are managed from within each tool. The configuration options presented by the graphical tools are equivalent to the settings found in an ssh_config file because they attempt to comply with the SSH protocol as a whole. Also note that several clients other than what are covered in this appendix are available.

PuTTY Family The PuTTY set of SSH client utilities is primarily used on the platform, although it is also available for UNIX systems. You can download and use it for free download from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. The PuTTY set of tools includes PuTTY for terminal emulation, plink for command-line connectivity, PuTTYgen for key generation and management, Pageant for use as a graphical ssh-agent, PSCP for use as a command-line SCP utility, and PSFTP for use as an SFTP command-line client.

PuTTY PuTTY is a free connectivity tool used for terminal emulation. PuTTY can be used for SSH connections, supports protocols 1 and 2, and also can connect to machines via rsh/ if that is desired. I commonly recommend PuTTY as an SSH client because of its price and features. PuTTY is a lightweight, yet full-featured client, weighing in at around 415KB. Although an installer is available, you can choose to also download the executable, so getting started is as simple as double-clicking the downloaded executable.

241 242 APPENDIX A ■ SSH CLIENT ALTERNATIVES

The PuTTY configuration screen, shown in Figure A-1, opens when the executable is started. The granular configuration options are controlled via the context menus on the left side of the screen. The main session information is controlled on the right side.

Figure A-1. The PuTTY configuration screen

Configuring PuTTY is not all that different from configuring the ssh command-line client. Most, if not all, of the options available to the ssh command-line client are found within the configuration options of PuTTY. The default configuration for PuTTY is usually adequate for most users; however, there are a few defaults you might consider changing. For instance, sometimes it is necessary to scroll back through many session lines for debugging purposes. To lengthen the history, enable 9999 lines of scrollback capabilities, as shown in Figure A-2. APPENDIX A ■ SSH CLIENT ALTERNATIVES 243

Figure A-2. Configuring PuTTY with a larger scrollback buffer

Also, it is quite convenient to be able to run the terminal session in full-screen mode. If this is enabled, pressing Alt+Enter will toggle full-screen mode of a PuTTY session as shown in Figure A-3.

Figure A-3. Enabling full-screen mode with PuTTY 244 APPENDIX A ■ SSH CLIENT ALTERNATIVES

When working with SSH servers and firewalls that drop connections if they are idle, enabling the keep-alive feature can be useful, which is the equivalent to ServerAliveInterval in the ssh_config file. This will communicate to the server/firewall that the connection is still active. This can be configured under the Connection context menu. Figure A-4 highlights the relevant setting.

Figure A-4. Enabling a keep-alive from PuTTY

For security reasons, consider disabling support for SSH protocol 1. To do this, you must select 2 only, as shown in Figure A-5, from the radio button options under the Connection ➤ SSH context menu. APPENDIX A ■ SSH CLIENT ALTERNATIVES 245

Figure A-5. Ensuring only protocol 2 is allowed

Enabling X11 forwarding is a common requirement. PuTTY does not provide an X-Server, so an external program must be used such as (see Appendix B). X11 forwarding is configured by going through the Connection ➤ SSH ➤ X11 context menu, to bring up the configuration window shown in Figure A-6. The location for the X display is also configured on this screen.

Figure A-6. Configuration of X11 forwarding is simple with PuTTY. 246 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Tunnels, automatic usernames, and color schemes can additionally be controlled within the PuTTY configuration. Once your settings are configured in the desired manner, save your ses- sion by naming it while under the Session context menu. Alternatively, you can save your session as the Default Session, which will mean all future sessions created will inherit those settings.

plink plink is another tool from the maintainers of PuTTY, offering users an SSH command-line interface, something not otherwise available on the Windows platform. plink can be executed directly or from the command line. For command-line execution, navigate to the directory where plink is located and execute the command plink, which will display a set of options. Most often, plink is used to work with already created PuTTY sessions. To do this, the syntax is plink -load session_name, where session_name is the name of a session you have saved in your PuTTY configuration. For example, to connect via the Microsoft Windows command line to the server www, the command string looks like this:

%>plink -load www

Figure A-7 depicts a plink connection. Note that because the Windows command line does not handle terminal emulation well, any output attempting to display a control character or colors will be outputted as its ASCII values, rather than interpreted.

Figure A-7. Using plink from the Microsoft Windows command line APPENDIX A ■ SSH CLIENT ALTERNATIVES 247

PuTTYgen PuTTYgen is the SSH key generator for PuTTY and its utilities. These keys can be used to connect to remote systems using key-based . PuTTYgen is very similar to its command- line counterpart, ssh-keygen. PuTTYgen can generate RSA and DSA keys for a user, and also has the ability to keys from the OpenSSH to the IETF (Internet Engineering Task Force) SecSH standard, which is used by SSH Communications Security. To use PuTTYgen, select your key parameters and click the Generate button, as shown in Figure A-8. The generation of the key will require some mouse movement as a source of entropy (randomness) during the generation process. This makes the key more difficult to predict. Upon completion of the generation, enter in a passphrase. PuTTYgen provides the exact text that can be pasted into an authorized_keys file to set up public key authentication, which can be seen in Figure A-9. It can also regenerate public keys from private keys, and change passphrases of private keys.

Figure A-8. The default PuTTYgen screen 248 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Figure A-9. PuTTYgen after a key has been loaded/generated

Pageant The Pageant program emulates the behavior of ssh-agent on the command line, enabling you to log in without a password and instead authenticate using a public key solution. It loads pri- vate key files that are optionally protected by a passphrase to allow PuTTY and the rest of the PuTTY utilities to make use of public key authentication. Upon starting Pageant, it will run in the system tray. To use it, double-click it, and add a private key. If the key is protected by a passphrase, you will need to enter it. Once the key is loaded in the agent, the other PuTTY utilities become aware of it. Figure A-10 shows Pageant listing the private keys loaded into it.

Figure A-10. Pageant displaying the keys loaded into the agent APPENDIX A ■ SSH CLIENT ALTERNATIVES 249

Once the key is loaded, the PuTTY tools will try to authenticate using the key(s) from that agent, as shown in Figure A-11. When a PuTTY connection is attempted, all you need to do is specify the appropriate username, and authentication completes. Optionally, you can instruct PuTTY to use different keys for different saved sessions. Also, usernames can be stored inside of each session, which means that connections can be made without typing a single keystroke once Pageant is loaded.

Figure A-11. Authentication in PuTTY is handled by Pageant.

PSCP PSCP is a command-line utility similar to plink, capable of carrying out SCP- and SFTP-based tasks. This is ideal if transferring files to SSH Tectia Server and to OpenSSH servers. PSCP is shown in Figure A-12. PSCP can also use Pageant. PSCP is unable to be executed without sup- plying the proper arguments.

Figure A-12. SCP connection from the Microsoft Windows command line 250 APPENDIX A ■ SSH CLIENT ALTERNATIVES

PSFTP PSFTP is an SFTP client that can be run interactively by double-clicking the executable. At the command line, open and then a hostname, session name from PuTTY, or an IP address. You will then be prompted for a username if your PuTTY session did not define it. Figure A-13 shows a connection established with PSFTP. Once connected, normal SFTP commands are used such as get, put, and ls.

Figure A-13. PSFTP is an SFTP client for Microsoft Windows.

PuTTY Summary The PuTTY family of SSH client utilities is very powerful and does not require installations nor large amounts of disk space to operate. Also, because it is available under the MIT license, it can be used and even incorporated into other projects, without royalties. I commonly myself using PuTTY when I arrive at a Microsoft Windows desktop. The PuTTY suite and a few keys can easily fit on a floppy disk or a USB keychain drive. PuTTY even works if my account does not have administrator authority because PuTTY does not have an installer. As a terminal emulation program, I find PuTTY to be my favorite. However, the command- line utilities for SCP and SFTP are perhaps sometimes too complicated for end users. The next section of this appendix covers some graphical alternatives to PSCP and PSFTP on the Microsoft Windows platform.

WinSCP WinSCP (http://www.winscp.net/) is my favorite file transfer program for the Windows operating system. WinSCP can be downloaded as a stand-alone application or an installation package, with the difference being the installer adds WinSCP to the Windows Add/Remove Programs menu, adds a desktop and menu link, and also optionally will add WinSCP to the Microsoft Explorer Send To Menu. APPENDIX A ■ SSH CLIENT ALTERNATIVES 251

WinSCP has a similar setup to PuTTY. Options are available on the left side of the screen through expandable context menus. To create a similar environment to the PuTTY environment established in the previous section, navigate to the SSH context menu and specify protocol 2 only by choosing the 2 only radio button option, as shown in Figure A-14.

Figure A-14. Configuring WinSCP for SSH protocol 2 only

WinSCP can also import PuTTY sessions natively. This is a wonderful feature. To use it, navigate to Sessions ➤ Stored sessions and click Tools, located on the right side of the window. After clicking Import, you can choose which PuTTY session you would like to import. Sessions can also be defined in WinSCP only and saved. WinSCP has two modes, Commander-like and Explorer-like. These can be changed, as shown in Figure A-15. The Commander-like interface has the local directory structure on the left side and the remote directory structure on the right, as shown in Figure A-16. To transfer files, use . The Explorer-like interface, provided in Figure A-17, only shows the remote system. Drag and drop is once again utilized. To configure which mode WinSCP uses, navigate to Preferences in the context menu and make your . 252 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Figure A-15. WinSCP can be configured to use a Commander-like or Explorer-like interface.

Figure A-16. WinSCP using the Commander-like interface APPENDIX A ■ SSH CLIENT ALTERNATIVES 253

Figure A-17. WinSCP using the Explorer-like interface

WinSCP has many other options that can be adjusted to meet your configuration needs. However, in most cases, the default settings will have enough flexibility for end users. Inside the session options of the context menu, a shortcut icon can also be created. This allows for a simple double-click to connect to a remote system.

■Caution Although WinSCP can use PuTTYgen private keys, it can also store passwords. This means that commands can be executed through WinSCP using that account and password if access to the desktop computer is gained. Key-based authentication has the additional security of a passphrase on the private key, providing you choose to protect your private key with a passphrase.

FISH Files over SSH (FISH) is not an official protocol, but can be utilized from when using the K Desktop Environment (KDE, http://www.kde.org). If you are running a KDE desktop, FISH can be used to connect to remote hosts over SFTP. When using FISH, enter fish://user@hostname from the Konqueror address bar to connect to a remote host, as shown in Figure A-18. All KDE applications are aware of the FISH protocol option, but other applications may not be. FISH is basically equivalent to using WinSCP to connect to a remote system. Files can be copied via drag and drop. 254 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Figure A-18. Konqueror using the FISH address option

FileZilla FileZilla (http://filezilla.sourceforge.net) is a common alternative to WinSCP for secure file transfer. It is very similar to most graphical FTP clients; in fact, it even supports FTP, FTP over SSL, and SFTP. FileZilla is freely available, as it is licensed under the GPL. If your account is not in the administrators group on Windows, FileZilla can be installed without touching the Windows registry. After installation, a connection must be set up. The initial screen looks very crowded, but most of it is useful. The initial screen is shown in Figure A-19. APPENDIX A ■ SSH CLIENT ALTERNATIVES 255

Figure A-19. The initial FileZilla screen

To set up a new connection, click File ➤ Site Manager. From there, create your connec- tion. Be sure to change the default ServerType option from FTP to SFTP Using SSH2. You then need to specify a username and password, as anonymous logins are not supported via SFTP. My connection to remote system www looks like what you see in Figure A-20. 256 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Figure A-20. A Site Manager window in FileZilla configured for a remote SFTP connection

After configuring the connection, click the network icon to select your connection. FileZilla provides and log information at the top, remote file listing on the right, and local file listing on the left. The bottom of the window is the transfer queue. Files are transferred via double-click or drag and drop. A connection screen via FileZilla is shown in Figure A-21. APPENDIX A ■ SSH CLIENT ALTERNATIVES 257

Figure A-21. An established SFTP connection via FileZilla

SSH Tectia Client The SSH Tectia Client from SSH Communications Security is a commercial SSH client that has some nice features. As with the rest of the clients mentioned in this appendix, the Tectia Client can be used in conjunction with both OpenSSH and commercial SSH implementations. Installing the Tectia Client is a straightforward process. Run the TectiaClient-4.x.x.xx.msi file where the x characters are replaced with the version of the client you are running. An installation wizard will begin. After accepting the license agreement, clicking Next and accept- ing the defaults will complete the installation. The SSH Tectia Client is shown in Figure A-22. Connections can be saved in profiles inside of the client. Additionally, ad hoc connection setups can be created using the Quick Connect button. Once a connection is established to a remote system via the Quick Connect option, it can be saved into a profile. By default, the SSH Tectia Client will warn the user if it is making an SSH Protocol 1 connection. 258 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Figure A-22. The SSH Tectia Client window

After establishing a connection, the SSH Tectia Client has several very nice options. If you find the need to have more than one connection open to a system, perhaps to edit source in one window and compile/run the source in another, the SSH Tectia Client has the ability to simply open new terminal connections without additional authentication. This is similar to the func- tionality of ControlMaster and ControlPath with the command-line OpenSSH ssh client. If you are connected to a system and need to transfer files to it, you can click the New File Transfer Window icon to create a new window with drag-and-drop file transfers, very similar to WinSCP or FileZilla. Session options similar to those found in the ssh_config can be made for the entire SSH Tectia Client by clicking Edit ➤ Settings. Settings can also be made per connection profile, similar to a $HOME/.ssh/config file using the edit profiles option shown in Figure A-23. Most often, editing the Tunneling tab is enough to make this connectivity client very usable. Check the box for X11 forwarding if that is desired. Figure A-24 shows a configuration with a tunnel already created for Telnet to my remote system www via a localhost connection on port 12345. APPENDIX A ■ SSH CLIENT ALTERNATIVES 259

Figure A-23. Editing Profiles setting in the SSH Tectia Client

Figure A-24. Creating and removing tunnels is easy via the SSH Tectia Client. 260 APPENDIX A ■ SSH CLIENT ALTERNATIVES

Public key authentication is also very easy to set up, if you are using the SSH Tectia Server with the Tectia Client. Edit your settings once again, and generate a key. Then create a connec- tion to a system running SSH Tectia Server. Once connected, click Settings ➤ Global Setting ➤ User Authentication ➤ Keys. Then click the Upload button. This will automatically upload your key, as shown in Figure A-25, and place it in the .ssh2 directory with proper permissions. Then next a connection is attempted to the remote system, you should be prompted for a passphrase and connect via public key authentication. If you are utilizing OpenSSH private keys, the key can be converted to the SecSH format by using the OpenSSH utility ssh-keygen as in this example, run from a command line:

stahnma@rack:~> ssh-keygen -i -f .ssh2/SecSH_rsa

Figure A-25. Configuring the public key to be uploaded

The SSH Tectia Client can be a very useful utility, although your personal choice will ultimately come down to personal preference and price. I like certain features of PuTTY more than the SSH Tectia Client, such as the ability to create a full-screen session, and I like some features of the SSH Tectia Client more, such as multiple connections at the click of a button and the ease of tunneling. In the end, the choice for connectivity tools is yours.

■Tip The SSH Tectia Client also installs binaries for clients that can be used from the Windows command line. The connectivity binary is called ssh2. APPENDIX A ■ SSH CLIENT ALTERNATIVES 261

Summary There are several other options available, both freely and for purchase; however, the software packages introduced in this chapter seem to be the most popular. Improvements will be made on all of these clients over time, and new clients may be developed that leave these looking like legacy connectivity options. Connection tool choices are up to you. Remember that if you are using SSH, regardless of the connectivity tools, you are more secure than when you started. APPENDIX B ■ ■ ■ OpenSSH on Windows

Information technology architects, integrators, and system administrators often require a multiplatform environment in order to most effectively do their jobs. However, in today’s computing world, many home network and data centers alike rely on a blend of Microsoft Windows and UNIX/Linux platforms. As you learned in Appendix A, OpenSSH clients are available for the Windows operating system, making cross-platform communications a trivial matter. Sometimes, however, running an OpenSSH server on Windows can be quite convenient. While other cross-platform communication solutions are available—Samba (http:// www.samba.org), for instance—my experience has shown that such solutions require a UNIX administrator to have a wealth of Windows knowledge to make them work efficiently and securely. Thankfully, the SSH protocol works in the same manner regardless of what platform hosts the SSH . This makes working with SSH on Windows systems easier because of the previ- ous understanding of SSH that has been developed on UNIX systems.

OpenSSH via Cygwin The official OpenSSH website does not offer an OpenSSH binary for Microsoft Windows. It does, however, provide a Cygwin (http://www.cygwin.com) implementation. There have been other attempts, most of which are no longer maintained, of OpenSSH to Windows, but they relied on Cygwin in some respect.

Introduction to Cygwin Cygwin provides a UNIX/Linux-type environment inside of a Windows system. It allows for installation of many common UNIX/Linux utilities, including OpenSSH, , perl, bash, vi, and many more. The core of Cygwin is implemented as a Windows DLL file with other files included for support. Programs can then be compiled against the Cygwin DLL and libraries to work in a Cygwin environment. Traditional UNIX/Linux binaries will not run on Cygwin with- out recompiling them from their source inside the Cygwin environment.

Downloading and Installing Cygwin The first step to installing Cygwin is of course to download it. The Cygwin package is a network- based installer that is only 280K. The installer has hundreds of packages that can be selected for installation. To download the installer, click on a link to the Cygwin setup.exe file found throughout the Cygwin home page. 263 264 APPENDIX B ■ OPENSSH ON WINDOWS

To install Cygwin, run the downloaded setup.exe file by double-clicking on it. The installer will ask if you would like to install from the Internet, download without installing the files, or install from local files. The default Install from Internet option, shown in Figure B-1, is fine for most situations.

Figure B-1. Cygwin installation via a direct Internet connection

Once the package metadata information has been downloaded, you will be presented with a screen that allows for package selection. There are hundreds of packages to choose from. If you are particularly fond of a package, feel free to install it, as it should not conflict with OpenSSH. OpenSSH is not installed by default. To install it, click the View button. The package selection view will then change to a full package listing. From there, navigate down to under the Package heading, as shown in Figure B-2. The installation value will toggle if the Skip icon is clicked. Click it, and the OpenSSH version will appear. The dependencies for OpenSSH, such as and OpenSSL, will automatically be selected. APPENDIX B ■ OPENSSH ON WINDOWS 265

Figure B-2. Cygwin package selection

Click Next, and the package download will begin. This may require a considerable amount of time depending on network speed and the amount of packages you selected.

■Tip The vi editor is not installed by default, and I find that to accomplish almost anything in a UNIX-type environment, an editor is required. You might want to install the editor of your choosing.

Once installed, click the Cygwin icon that has been placed on your Desktop or in the Start Menu. It will launch a bash session, as shown in Figure B-3.

Figure B-3. A bash shell launched from Cygwin 266 APPENDIX B ■ OPENSSH ON WINDOWS

Configuring sshd as a Service Once installed, sshd is neither running nor configured by default. You will probably want to change this behavior because you will most likely want to run it as a service. Services in Windows are like daemons in UNIX/Linux—they run even if there are no users logged in. To run sshd as a service, a few environment variables must be edited. Editing the environ- ment variables can be done via a script (located at /usr/bin/ssh-host-config) or manually. To edit environment variables manually in the Windows operating system, right-click the My Computer icon and click Properties. Under the Advanced tab, click Environment Variables, as shown in Figure B-4.

Figure B-4. Click the Environment Variables button.

A new variable called CYGWIN must be added. This variable will set the Cygwin security mechanism, configuring Cygwin to use the Windows security mechanism for managing user information. The value of this should be ntsec tty, as shown in Figure B-5.

Figure B-5. Setting the CYGWIN environment variable in Windows APPENDIX B ■ OPENSSH ON WINDOWS 267

You should also add :\cygwin\bin (or your Cygwin directory if not at the default location) to the PATH variable. To do this, click on PATH and click Edit. To start sshd as a service, you can use the command line within Cygwin or a normal Windows command line, and type net start sshd. To stop sshd, type net stop sshd. Starting and stopping sshd as a service is shown in Figures B-6 and B-7.

Figure B-6. Starting the Cygwin sshd service

Figure B-7. Stopping the Cygwin sshd service 268 APPENDIX B ■ OPENSSH ON WINDOWS

Testing the Connection That’s really all there is to getting sshd up and running on a Windows system. The next step is to test your connection via an SSH client.

Windows Firewall If you are a security-minded user, you are probably using a personal firewall of some kind, whether it is the firewall built into Windows or a third-party solution. In fact, if you are run- ning Windows XP Service Pack 2 or later, the Windows Firewall is enabled by default. To allow SSH connection from other systems, you will need to open TCP port 22 on that firewall. To enable sshd from the Windows Firewall, navigate to the Windows Control Panel. Click Security Center, and then click the bottom icon that says Windows Firewall, as shown in Figure B-8.

Figure B-8. Click Windows Firewall.

Under the Exceptions tab, click the Add Port button, and add an appropriate name along with TCP port number 22. Figure B-9 depicts the process of adding sshd as an allowed application. APPENDIX B ■ OPENSSH ON WINDOWS 269

Figure B-9. Adding sshd as an application on TCP port 22

Establishing the Connection After configuring your firewall to allow TCP port 22 inbound connections, test the SSH con- nection from an SSH client. I used PuTTY from my system, but the command line from Cygwin will also work. Remember to use the actual hostname for the Windows system, not localhost, since by default the firewall will not stop connections coming from localhost. If all goes well, you should see something similar to Figure B-10.

Figure B-10. A connection has been established with sshd running on Windows. 270 APPENDIX B ■ OPENSSH ON WINDOWS

Cygwin and Users When Cygwin is installed, it creates an /etc/passwd file based on the current Windows users. If you need to add users, it is best to add them through the Windows Users Control Panel or through the use of a domain controller. However, when new users have been added to Windows in either manner, Cygwin must be made aware of the changes. To do so, you will need to run the Cygwin mkpasswd command in order to import the Windows users into a newly generated /etc/passwd file. After adding a user through Windows, run the following command to rebuild the /etc/passwd file:

$ mkpasswd -l > /etc/passwd

This command will create a new /etc/passwd file with the current Windows user information; however, if you are in a domain infrastructure, you need to use different switches. If you are in a domain, run

$ mkpassswd -d > /etc/passwd

■Caution If you are using public key authentication to connect to a Windows SSH server, you may not be able to access network drives because Windows will not be able to pass on your SMB password for authentication.

Upgrading OpenSSH Cygwin Packages OpenSSH is upgraded on a regular basis. To keep current with these changes, you can download the latest builds from http://www.openssh.com and compile and install them via Cygwin. You will need GNU Make and other utilities (available via the Cygwin installer) to complete the compilation. See the Cygwin documentation for more information about these requirements. You could also wait for the Cygwin team to release the updated package. To install new updates in this fashion, run the Cygwin setup.exe file (or download a new one). From there, select the Install from Internet option and continue until you are prompted for package selection. Navigate to OpenSSH. On the left side you will see the currently installed version under the Current heading. The second column will show the available new version. If you wish to upgrade, select Install and click Next. The upgraded package will be downloaded and installed.

Configuration The configuration of OpenSSH on Microsoft Windows is identical to that of sshd and the ssh client on any other platform, with the exception of ControlMaster and ControlPath in the client. The configuration files inside of Cygwin are found in /etc. Public key authentication, key generation, SSH agents, and file transfers all work the same with OpenSSH on Windows as they do on traditional UNIX/Linux platforms. APPENDIX B ■ OPENSSH ON WINDOWS 271

Cygwin as an X Server on Windows Cygwin can also provide a free X server for Windows system. This will accept an X11 connection forwarded through SSH so UNIX/Linux graphical applications can be run from Windows work- stations. To create an X server, run the Cygwin setup.exe file. Navigate to the X11 category and select X-start-menu-icons. This will select everything that is required to make your PC run as an X server. The installation will probably take a few minutes. Once the X server has been installed, you can use the Start Menu icon to start the X server, or type startx from the Cygwin bash shell. The default configuration of X from Cygwin is fairly secure. It will allow a forwarded SSH connection to connect to it, but it will not allow other dis- plays to connect without explicitly allowing them via xhost. Index

■Symbols -d option ! command ssh-agent command 135 sftp command 91 ssh-keygen command 129 -1 command-line option sshd 48 scp command 82 -D port command-line option sftp command 86 ssh command 75 ssh command 74 -e command-line option -2 command-line option ssh command 76 scp command 82 ssh-add command 138 ssh command 74 ssh-keygen command 126 -4 command-line option -f command-line option scp command 82 ssh command 76 ssh command 74 ssh-keygen command 127, 130 -6 command-line option -F config option scp command 82 ssh command 76 ssh command 74 scp command 83 -a bind_address option sftp command 87 ssh-agent command 134 -g command-line option -A command-line option ssh command 76 ssh command 75 ssh-keygen command 127, 130 -a trials switch -H option ssh-keygen command 125 ssh-keygen command 130 -b batchfile command-line option -i identity_file command-line option sftp command 86–87 scp command 83 -b bind_address command-line option ssh command 76 ssh command 75 -i option -b bits switch ssh-keygen command 127 ssh-keygen command 125 -I smartcard_device command-line option -B command-line option ssh command 76 scp command 83 -k command-line option ssh-keygen command 129 ssh command 77 -C batchfile command-line option ssh-agent command 135 sftp command 87 -l limit command-line option -c cipher option scp command 83 scp command 83 -l login_name command-line option ssh command 75 ssh command 77 -C command-line option -l option scp command 83 ssh-add command 136 ssh command 75 ssh-keygen command 127 -c option -L port:host:hostport command-line option ssh-add command 137 ssh command 77 ssh-agent command 135 -M command-line option ssh-keygen command 126, 129 ssh command 77 -D option -m mac_spec command-line option ssh-add command 136 ssh command 77

273 274 ■INDEX

-M option -v option ssh-keygen command 130 ssh-keygen command 129 -N command-line option -W option ssh command 77-78 ssh-keygen command 132 ssh-keygen command 131 -x command-line option -o option ssh command 80 ssh command 78 ssh-add command 136-137 scp command 83 -Y command-line option sftp command 87 ssh command 80 -p command-line option -y option scp command 83 ssh-keygen command 129 ssh-keygen command 127, 131 .rhosts file 42 -P port command-line option .rhosts files scp command 83 scanning for 214-215 -p port command-line option .shosts file 43 ssh command 78 .Xauthority file 43 -P sftp_server_path command-line option 3DES 12 sftp command 88 ? command -q command-line option sftp command 91 scp command 84 ssh command 78 ■A -q option AcceptEnv directive ssh-keygen command 128 sshd_config file 51 -r command-line option Adams, Carlisle and Tavares, Stafford scp command 84 creators of CAST 13 -r hostname AddressFamily keyword ssh-keygen command 128 ssh_config file 93 -R num_requests command-line option Adleman, Len sftp command 88 RSA algorithm 121 -R option administrative shell script example ssh-keygen command 131 211–212 -R port:host:hostport command-line option AES (Advanced Encryption Standard) 12 ssh command 78 AFS (Andrew ) -s command-line option using Kereberos with 56 ssh command 79 agent forwarding ssh-add command 138 choosing whether to allow or not 168 -S option introduction 138–139 ssh-keygen command 131 no-agent forwarding option 123 -S program command-line option ssh_config file scenarios 110 scp command 84 workings 139–140 sftp command 88 agent.ppid file 44 -s subsystem command-line option algorithms, choices 188 sftp command 88 AllowGroups directive -T command-line option sshd_config file 51 ssh command 79 AllowTCPForwarding directive -t option sshd_config file 52 ssh-add command 137 AllowUsers directive ssh-agent command 135 sshd_config file 52 ssh-keygen command 128, 131 Andrew File System (AFS) -U option using Kereberos with 56 ssh-keygen command 132 ARCFOUR 13 -v command-line option ARP Poisoning attack scp command 84 Telnet security analysis 6 sftp command 88 asymmetric encryption -V command-line option compared to symmetric encryption 18 ssh command 79 ciphers 13–14 ■INDEX 275 authentication 113 ChallengeResponseAuthentication automation 201 directive choosing what types of authentication are sshd_config file 53 permitted 168 ssh_config file 93 input 201 CheckHostIP keyword methods 180 ssh_config file 94 OpenSSH secure gateway 174 checksums 10 output 202 MACs 11 phasing out of for OpenSSH security 180 md5 hash function 10 public key authentication 113 SHA-1 hash function 10–11 types of authentication inside Open SSH sum command 10 142–143 chgrp command AuthorizedKeysFile directive sftp command 89 sshd_config file 52 chmod command authorized_keys file 44, 192, 236 sftp command 89 backup policies 179 chown command environment keyword 123 sftp command 89 installing public key on remote host 119 Cipher keyword invalid entries 120 ssh_config file 94 no-port-forwarding option 123 Ciphers directive root account 181 sshd_config file 53 specifying which keys can be used from Ciphers keyword where 173 ssh_config file 94 source node restrictions 188 ClearAllForwardings keyword automated authentication 201 ssh_config file 94 availability as security concept 3 ClearAllForwardings option Telnet security analysis 7 157 available lists client configuration files 42–46 script to find 178 SSH (Secure Shell) 20 client tools for Windows 32–34 ■B ClientAliveCountMax directive B buffer_size command-line option sshd_config file 53 sftp command 86 ClientAliveInterval directive backup policies sshd_config file 54 OpenSSH secure gateway 179 comments, key policy and 189 Banner directive Comprehensive Perl Archive Network. See sshd_config file 53 CPAN banner file 39 Compression directive BatchMode keyword sshd_config file 54 ssh_config file 93 Compression keyword scenarios 110 ssh_config file 95 BatchMode option 211 CompressionLevel keyword binary distribution ssh_config file 95 compared to source-based distribution confidentiality 166–167 information security 3 BindAddress keyword Telnet security analysis 6 ssh_config file 93 configuration files 44 block ciphers 12–13 checking changes 186 Blowfish 12 checking versions 186 Bundle::SSH, installing 217 creating masters 185 bye command distributing 186 sftp command 88 Connection hijacking prevented through OpenSSH 21 ■C Connection Settings dialog box CAST 13 Manual proxy configuration 158 command ConnectionAttempts keyword sftp command 88 ssh_config file 95 276 ■INDEX

ConnectTimeout keyword environment keyword ssh_config file 95 authorized_keys file 123 ssh_config file scenarios 110 environment management ConnectTimeout option 209, 211 planning 165–166 ControlMaster keyword security guidelines 166–169 ssh_config file 95 checks and balances 169 ControlPath keyword staff commitment 169–170 ssh_config file 96 EscapeChar keyword cpan 217 ssh_config file 97 CPAN (Comprehensive Perl Archive Network) command 216 sftp command 89 Net::SSH module, installing 216–217 cron usage ■F key policy 190–191 file permissions Cygwin 261 key policy 190 and users 270 managing OpenSSH secure gateway 176 as X server on Windows 271 file transfer example with scp command 81 configuration 270 files configuring sshd as a service 266–267 implied user name using scp command 81 downloading and installing 263–265 local copying using scp command 81 introduction 263 pushing and pulling file using scp testing connection 268 command 82 establishing connection 269 recursive copying with scp command 81 Windows firewall 268-269 retrieving example (Perl) 219–220 upgrading OpenSSH packages 270 transferring and renaming with scp command 81 ■D FileZilla daemon configuration files introduction 255–256 SSH (Secure Shell) 20 FISH (Files over SSH) 253 Data Encryption Standard (DES) 12 forced-commands-only token database, updating example (Perl) 219–220 root account 181 debugging ssh_config file 92 forward agent Denial of Service attacks, protecting against 3 ssh_config file scenarios 110 DenyGroups directive ForwardAgent keyword sshd_config file 54 ssh_config file 97 DenyUsers directive forwarding sshd_config file 54 introduction 147 DES (Data Encryption Standard) 12 port investigation 149–150 DHCP (Dynamic Host Configuration TCP connection forwarding 150–159 Protocol) workings of 148–149 reasons for key changes 19 X11 forwarding 159–163 diff command 205 ForwardX11 keyword Diffie-Hellman key exchange algorithm 14 ssh_config file 97 digital signature algorithm. See DSA ForwardX11Trusted keyword DSA (digital signature algorithm) 188 ssh_config file 97 compared to RSA 121 FTP dynamic forwarding 157, 159 replacing with commands on OpenSSH Dynamic Host Configuration Protocol. See 30–31 DHCP security analysis 7 DynamicForward keyword strengths 4–5, 8 ssh_config file 96 ftpd, SSH advantages over 17 ■E ■G EnableSSHKeysign keyword Garfinkel, Simson, Spafford, Gene and ssh_config file 96 Schwartz, Alan entropy 39 Practical Unix & Internet Security, 3rd environment file 44 Edition 8 ■INDEX 277

GatewayPorts directive IgnoreRhosts directive sshd_config file 54 sshd_config file 56 GatewayPorts keyword IgnoreUserKnownHosts directive ssh_config file 97 sshd_config file 56 get command implied example using scp command sftp command 89 81 GlobalKnownHostsFile keyword implied user using scp command 81 ssh_config file 98 information security, foundations 3–4 GSSAPI supported by SSH Tectia Server insertion/session-hijacking attack 228 Telnet security analysis 6 GSSAPIAuthentication directive integrity sshd_config file 55 information security 3 GSSAPIAuthentication keyword Telnet security analysis 6 ssh_config file 98 interactive sessions GSSAPICleanupCredentials directive ssh command 70 sshd_config file 55–56 IPSEC tunnels 148 GSSAPIDelegateCredentials keyword ssh_config file 98 ■K ■H OpenSSH security 181 command supported by SSH Tectia Server 228 sftp command 89 using with AFS (Andrew File System) 56 here documents 207 KerberosAuthentication directive host key sshd_config file 56 SSH (Secure Shell) 20 KerberosOrLocalPasswd directive host key checking sshd_config file 56 choosing whether to enforce 168 key changes, reasons for 19 host keys key distribution caching 179 advantages of public key repository 192 checking 187 building public key RPM 193–196 Host keyword building file 193 ssh_config file 98–99 common drop-off point 192 host-based authentication introduction 192 benefits and drawbacks 169 keys on CD-ROM/USB key 196 ssh_config file scenarios 111 key distribution script example 204 host-based public key authentication revisited 209–210 summary 141–142 key exchange (SSH) 18 HostbasedAuthentication directive key management 187 sshd_config file 55 key pair, generating with ssh-keygen ssh_config file 99 command 117 HostKey directive key policy sshd_config file 55 algorithms 188 HostKeyAlgorithms keyword comments 189 ssh_config file 99 cron usage 190–191 HostKeyAlias keyword file permissions 190 ssh_config file 99 introduction 188 HostName keyword key size 188 ssh_config file 99 naming conventions 189 hosts.equiv file 40 ownership 189 passphrases 189 ■I public key restrictions 190 IdentitiesOnly keyword questions surrounding 166 ssh_config file 100 storing private keys 190 IdentityFile keyword key-based authentication ssh_config file 100 benefits 169 id_dsa file 43 choosing whether to permit 166 id_rsa file 43 OpenSSH secure gateway 174 278 ■INDEX

Keychain lumask command introduction 191–192 sftp command 90 Keychain tool 134 MACs (Message Authentication Codes) 11 KeyRegenerationInterval directive sshd_config file 57 ■M keys MACs algorithms bit length 118 ssh_config file 100 introduction 120–121 MACs directive key generation information 124–132 sshd_config file 57 public key restrictions 121–123 man-in-the-middle attack. See MITM attacks tracing public keys to users 124 Manual proxy configuration keystream 13 Connection Settings dialog box 158 command 49 MaxAuthTries directive known hosts caching sshd_config file 58 SSH (Secure Shell) 20 MaxStartups directive known_hosts file 44 sshd_config file 58 md5 hash function 10 ■L Message Authentication Codes. See MACs lcd command MITM attacks sftp command 89 description 17–18 LDAP prevented through OpenSSH 21 OpenSSH security 181 SSH prevents 17–18 legacy protocols Telnet security analysis 6 common strengths 4–5 command learning to 9 sftp command 90 replacing with OpenSSH 14 monitoring SSH 187 replacing with SSH 3 security analysis 5 ■N FTTP 7 naming conventions r-utilities 7–8 key policy and 189 Telnet 5–7 network location where they still make sense 8 OpenSSH secure gateway 175 ListenAddress directive Net::SSH module 216 sshd_config file 57 function walkthrough 218–219 lls command installing via CPAN 216–217 sftp command 89 testing 217–218 lmkdir command using 218 sftp command 90 no-port-forwarding option ln command authorized_keys file 123 sftp command 90 no-X11-forwarding keyword 123 local copying NoHostAuthenticationForLocalhost keyword using scp command 81 ssh_config file 100 LocalForward keyword nologin directive ssh_config file 100 patching OpenSSH 185 locally run script 207–208 nologin file 40 logging parameters NumberOfPasswordPrompts keyword what to use 168 ssh_config file 101 LoginGraceTime directive sshd_config file 57 ■O LogLevel directive OpenSSH sshd_config file 57 See also SSH LogLevel keyword checking host keys 187 ssh_config file 100 compared to SSH Tectia Server 227–230, lpwd command 231–235 sftp command 90 configuration files ls command checking changes 186 sftp command 90 checking versions 186 ■INDEX 279

creating masters 185 support 170 distributing config files 186 types of authentication 142–143 connecting via 22 OpenSSH client 69 downloading 22 client commands 70 OpenSSL 24 scp command 80–84 zlib 23 sftp command 84–91 establishing security basics 10 ssh command 70–80 asymmetric ciphers begin 13–14 order of precedence 69 checksums 10–11 ssh_config file 92 symmetric ciphers 11–13 debugging 92 file structure 37 documenting 105–110 client configuration files 42–46 keywords 92–105 server configuration files 37–42 scenarios 110–112 information security 4 OpenSSH secure gateway installing 24–27 alternatives to 179 checking installation 28 ad hoc administration 180 troubleshooting 28–30 no keys allowed 180 introduction 21 introduction 170–171 key distribution 192 managing gateway 176 advantages of public key repository 192 backup policies 179 building public key RPM 193–196 caching host keys 179 common drop-off point 192–193 creating unavailable lists 177–178 keys on CD-ROM/USB key 196 file permissions 176 key management 187 system lists, generating 176–177 introduction 187 reasons for using 179 key policy 188 security concerns 174 algorithms 188 authentication 174 comments 189 avoiding single point of failure 176 cron usage 190–191 network location 175 file permissions 190 physical security 174 key size 188 root access 174–175 naming conventions 189 services 175 ownership 189 user restrictions 175 passphrases 189 setting up 172–173 public key restrictions 190 OpenSSH server 47 storing private keys 190 automatically starting and stopping 28 managing 185 managing 49–50 managing environment 165 manually starting and stopping 27 OpenSSH secure gateway 170–180 sshd_config file 51 planning 165–170 building 64–67 monitoring SSH 187 directives 51–64 portable version 25 ensuring security of 67 removing from Red Hat/SUSE Linux starting 27 system 231 testing 47 replacing legacy protocols 14 changing default configuration of file securing 180–185 and port 48 authentication methods 180 checking syntax of sshd_config patching OpenSSH 184–185 47–48 root account 181–183 reloading configuration files 49 ssh-keygen command 117 running OpenSSH server in SSHFP mode 48–49 storing public host keys in DNS 196–198 Windows 263 starting OpenSSH server 27 Cygwin implementation 263–271 automatically starting and stopping 28 OpenSSL 24 manually starting and stopping 27 ownership, key policy and 189 280 ■INDEX

■P Port directive Pageant program sshd_config file 59 introduction 248–249 restriction PAM no-port-forwarding option 123 supported by SSH Tectia Server 228 Port keyword Pari module ssh_config file 101 installing 217 Practical Unix & Internet Security, 3rd Edition passphrases 43 Garfinkel, Simson, Spafford, Gene and key policy and 189 Schwartz, Alan 8 working with 117 PreferredAuthentications keyword password authentication ssh_config file 101, 116 advantage of public key authentication PrintLastLog directive 115 sshd_config file 60 benefits 169 PrintMotd directive compared to public key authentication sshd_config file 60 115 private keys not an option with Net::SSH module 218 converting to SecSH format 259 supported by SSH Tectia Server 228 loading into ssh-agent 133 password-free authentication 201 private key file 121 PasswordAuthentication directive storing 190 sshd_config file 58 privileged ports 149 ssh_config file 101 progress command patching OpenSSH 184 sftp command 90 methods 184 Protocol directive using the nologin directive 185 sshd_config file 60 working with the daemon 185 Protocol keyword Perl 215 ssh_config file 101 examples of scripts 219 protocols additional tasks 220 See also legacy protocols retrieving files and updating a database replacing legacy protocols with SSH 3 219–220 ProxyCommand keyword Net::SSH module 216 ssh_config file 101 function walkthrough 218–219 PSCP utility 250 installing via CPAN 216–217 PSFTP utility 250 testing 217–218 PubkeyAuthentication directive using 218 sshd_config file 60 when to use 216 PubkeyAuthentication keyword permissions ssh_config file 102, 116 using scp command 82 public key authentication 113 PermitEmptyPasswords directive compared to password authentication 115 sshd_config file 58 connecting 119 PermitRootLogin directive ensuring availability over server 116 sshd_config file 58 ensuring client allows public key PermitRootLogin token authentication 116 root account 181 introduction 114 PermitUserEnvironment directive security of 114–115 sshd_config file 59 setting up 116 PidFile directive generating key pair 117 sshd_config file 59 installing public key on remote host pipes 205 118–119 See also redirection and pipes SSH Tectia Client 259 with redirection 206 SSH Tectia Server 232–233 PKI (Public Key Infrastructure) ssh-agent 132–140 OpenSSH security 181 summary 140 supported by SSH Tectia Server 228 guidelines 140–141 plink tool host-based 141–142 introduction 246 security 140 ■INDEX 281

supported by SSH Tectia Server 228 recursive copying troubleshooting 120 scp command example 81 file ownership and permissions 120 Red Hat invalid authorized_keys entry 120 removing OpenSSH from 231 password expiry 120 redirection and pipes 205–206 public key encryption 18 capturing stderr and stdout 209 algorithms 14 variables within ssh commands 206 public key file 121 locally run script 207–208 Public Key Infrastructure scripting using a here document 207 supported by SSH Tectia Server 228 sending the script as a command over public key restrictions 121 ssh 207 agent forwarding restriction - no-agent regular expressions forwarding 123 example of using scp command 80 command restriction – command 122 RemoteForward keyword environment restriction – environment ssh_config file 102 123 rename command forwarding restriction - no-X11- sftp command 90 forwarding 123 renaming files port forwarding restriction - no-port- example using scp command 81 forwarding option 123 RhostsRSAAuthentication directive source restriction – from 122 sshd_config file 61 specific port forwarding enabled - RhostsRSAAuthentication keyword permitopen option 123 ssh_config file 102 TTY restriction- no-pty 123 Rivest, Ron public keys RSA algorithm 121 advantages of repository 192 rlogind building public key RPM 193–196 SSH advantages over 17 restrictions 190 rm command storing public host keys in DNS 196–198 sftp command 91 pushing and pulling files command using scp command 82 sftp command 91 put command root access sftp command 90 OpenSSH secure gateway 174–175 PuTTY family root account Pageant program 248–249 OpenSSH security 181–183 plink tool 246 RPM (RPM Package Manager) PSCP utility 250 building for public keys 193 PSFTP utility 250 building public key RPM 194–195 PuTTY tool 241–246 querying 195 PuTTYgen utility 247–248 revocation of compromised keys 196 summary 250 verification 196 PuTTY tool rpm verification 213 introduction 241–246 RSA algorithm 188 PuTTYgen utility 247–248 compared to DSA 121 pwd command RSA Security sftp command 90 SecurID 228 RSAAuthentication directive ■Q sshd_config file 61 quit command RSAAuthentication keyword sftp command 90 ssh_config file 102 rsh command ■R functionality replaced by ssh command r-utilities 70–72 security analysis 7–8 rshd strengths 4–5, 9 SSH advantages over 17 rc file 44 scanning for .rhosts files example 214–215 282 ■INDEX

■S sftp command 69, 84 Schwartz, Alan, Garfinkel, Simson, and distributing configuration files 186 Spafford, Gene, examples 85 Practical Unix & Internet Security, 3rd batching sftp commands 85–86 Edition 8 command-line options 86–91 scp simple interactive sftp session 85 as alternative to FTP and rcp 31 interactive commands 88 scp command 69, 80 sftp file 45 distributing configuration files 186 SHA-1 hash function 10–11 examples 80 Shamir, Adi file transfer and renaming 81 RSA algorithm 121 implied path 81 shell scripts 202 implied user 81 administrative example 211–212 local copying 81 migrating legacy scripts 210 permissions 82 reasons for using 202–205 pushing and pulling files 82 redirection and pipes 205 recursive copying 81 capturing stderr and stdout 209 using regular expressions 80 pipes 205 files 45 pipes with redirection 206 options 82–84 simple key distribution script revisited scripting 201 209–210 authentication 201–202 variables within ssh commands Perl 215–221 206–209 real world examples 210–215 security examples 212 shell scripts 202–210 scanning for .rhosts files 214–215 web scripting 221–225 system logs 214 SecurID verifying rpms 213 supported by SSH Tectia Server 228 shosts.equiv file 41 security SmartcardDevice keyword establishing guidelines for environment ssh_config file 103 management 166–169 source-based distribution checks and balances 169 compared to binary distribution 166–167 staff commitment 169–170 Spafford, Gene, Garfinkel, Simson, and OpenSSH secure gateway 174 Schwartz, Alan authentication 174 Practical Unix & Internet Security, 3rd avoiding single point of failure 176 Edition 8 network location 175 specific port forwarding enabled physical security 174 permitopen option 123 root access 174–175 SSH (Secure Shell) services 175 See also OpenSSH user restrictions 175 basics 20 security shell script examples 212 choices 21 scanning for .rhosts files 214–215 OpenSSH 21 system logs 214 SSH Tectia products 21–22 verifying rpms 213 information security 4 SendEnv keyword introduction 17–19 ssh_config file102 replacing legacy protocols 3 server configuration files 37–42 web front ends 221 ServerAliveCountMax keyword security concerns 222 ssh_config file 103 setting up an account 221–222 ServerAliveInterval keyword using 222, 224–225 ssh_config file 103 workings of 19 ServerKeyBits directive SSH agent forwarding sshd_config file 61 choosing whether to allow or not 168 set command 132 ssh client tunnel setup via escape sequences 152 ■INDEX 283

SSH client alternatives 241 ssh-add file 45 FileZilla 255–256 ssh-agent FISH (Files over SSH) 254–255 agent forwarding 138–140 PuTTY family 241–250 command options 134–135 SSH Tectia Client 257–260 guidelines 134 WinSCP application 250–254 ssh-add command 135–138 ssh command 69–70 ssh-agent command 134–135 capturing stdout and stderr 209 introduction132–133 command-line options 74–80 ssh-agent file 45 common usage 70 ssh-keygen -l command 181 acting as transport mechanism 72 ssh-keygen command interactive sessions 70 -a trials switch 125 remote commands 71–72 -b bits switch 125 escape sequences 72–74 -B option 129 ssh commands -c option 126, 129 variables within 206 -D option 129 locally run script 207–208 -e option 126 scripting using a here document 207 -f option 127, 130 sending the script as a command over -g option 127, 130 ssh 207 -i option 127 SSH Communications Security Inc -l option 127 SSH Tectia products 21 -M option 130 ssh file 45 -N option 131 SSH forwarding 148 -p option 127, 131 SSH protocol 1 -q option 128 allowing or not 167 -r hostname 128 SSH server -R option 131 choosing whether to listen on all IP -S option 131 addresses on a host 167 -t option 128, 131 SSH Tectia Client -U option 132 introduction 256–257, 259 -v option 129 SSH Tectia products 21–22 -W option 132 SSH Tectia Server 227 -y option 129 advantages over OpenSSH 227 generating key pair 117 authentication options 228 introduction 124-125 management options 228 ssh-keygen utility 41, 236 standard Windows client 228 ssh-keyscan file 41 differences with OpenSSH 231–232 ssh-keysign file 45 configuration differences 234 ssh-rand-helper file 41 configuration of SSH Tectia Server sshd 233–234 -d option 48 patching SSH tectia Server 234–235 checking behavior on setup 172 public key authentication 232–233 choosing logging level and facility for disadvantages 229 182–183 cost 230 choosing which port 167 package dependencies 229 sshd file 39 privilege separation 229 sshd.pid file 40 installing 230–231 sshd_config file 39, 51 recommendations 230 AcceptEnv directive 51 working in a mixed environment AllowGroups directive 51 235 AllowTCPForwarding directive 52 key management 237–240 AllowUsers directive 52 SCP/SFTP 235 AuthorizedKeysFile directive 52 SSH Keys 236–237 Banner directive 53 ssh-add -l command 181 building 64–66 ssh-add command 135 ChallengeResponseAuthentication options 135–138 directive 53 284 ■INDEX

checking syntax 47–48 SSH_ASKPASS program Ciphers directive 53 ssh-add command 137–138 ClientAliveCountMax directive 53 SSH_AUTH_SOCK variable 132 ClientAliveInterval directive 54 ssh_config file 42, 92 Compression directive 54 debugging 92 DenyGroups directive 54 documenting 105–110 DenyUsers directive 54 keywords 92–105 ensuring security of 67 PreferredAuthentications keyword 116 GatewayPorts directive 54 PubkeyAuthentication keyword 116 GSSAPIAuthentication directive 55 scenarios 110 GSSAPICleanupCredentials directive 55–56 agent forwarding 110 HostbasedAuthentication directive 55 dealing with administrators 112 HostKey directive 55 dealing with users 111 IgnoreRhosts directive 56 host-based authentication 111 IgnoreUserKnownHosts directive 56 StrictHostKeyChecking, BatchMode, KerberosAuthentication directive 56 and ConnectTimeout 110 KerberosGetAFSToken directive 56 StrictHostKeyChecking 221 KerberosOrLocalPasswd directive 56 ssh_host_key file 38 KeyRegenerationInterval directive 57 ssh_host_key.pub file 38 ListenAddress directive 57 ssh_known_hosts file 40 LoginGraceTime directive 57 ssh_random_seed file 38 LogLevel directive 57 start/stop scripts MACs directive 57 SSH (Secure Shell) 20 MaxAuthTries directive 58 stderr MaxStartups directive 58 capturing from an ssh command 209 parameters 161 stdout PasswordAuthentication directive 58 capturing from an ssh command 209 PermitEmptyPasswords directive 58 stream ciphers 13 PermitRootLogin directive 58 StrictHostKeyChecking 221 PermitUserEnvironment directive 59 StrictHostKeyChecking keyword PidFile directive 59 ssh_config file 103–104 Port directive 59 scenarios 110 PrintLastLog directive 60 StrictModes directive 120 PrintMotd directive 60 sshd_config file 61 Protocol directive 60 enabling in sshd_config file 190 PubkeyAuthentication directive 60 Subsystem directive RhostsRSAAuthentication directive 61 sshd_config file 61 root account 181 sum command 10 RSAAuthentication directive 61 SUSE Linux system ServerKeyBits directive 61 removing OpenSSH from 231 StrictModes directive 61 symlink command StrictModes enabled 190 sftp command 91 Subsystem directive 61 symmetric ciphers SyslogFacility directive 62 block ciphers 12–13 TCPKeepAlive directive 62 introduction 11–12 UseDNS directive 62 stream ciphers 13 UseLogin directive 62 symmetric encryption UsePAM directive 63 compared to asymmetric encryption UsePrivilegeSeparation directive 63 18 X11DisplayOffset directive 63 SyslogFacility directive X11Forwarding directive 63 sshd_config file 62 X11UseLocalhost directive 64 system lists, generating XAuthLocation directive 64 managing OpenSSH secure gateway SSHFP 176–177 storing public host keys in DNS 196–198 system logs SSH_AGENT_PID variable 132 security shell script example 214 ■INDEX 285

■T UserKnownHostsFile keyword tar file, building 193 ssh_config file 105 Tavares, Stafford and Adams, Carlisle ■ creators of CAST 13 V TCP connection forwarding 150 verbosity levels choosing whether to allow or not 167 choosing what level is required 168 creating forwarded connection via VerifyHostKeyDNS keyword $HOME/.ssh/config 156 ssh_config file 105 configuration 156 version command forwarding collisions 156–157 sftp command 91 dynamic forwarding 157, 159 VNC (Virtual Network Computing) 152–153 pass-through forwarding 154 VPN () 148 remote forwarding 155 ■ setting up the tunnel 151–152 W tunnel setup via ssh client escape web scripting 221 sequences 152 web front ends tunneling through firewalls 153–154 using 222, 224–225 using SSH as a transport 157 web front ends for SSH 221 VNC 152–153 security concerns 222 TCP forwarding 147 setting up an account 221–222 SSH protocol 148 Windows TCPKeepAlive directive client tools for 32–34 sshd_config file 62 OpenSSH server 263 TCPKeepAlive keyword Cygwin implementation 263–271 ssh_config file 104 WinSCP application 250–254 Telnet without-password token daemon 30 root account 181 security analysis 5–7 X authentication 163 strengths 4–5 telnetd ■X SSH advantages over 17 X11 forwarding triple-DES 12 choosing whether to allow or not 167 introduction 159–160 ■U notes 163 unavailable systems working with OpenSSH 161 script to find 177 example connection 162 command 122 sshd_config 161 UseDNS directive X authentication 163 sshd_config file 62 X11 Windowing system 160–161 UseLogin directive X11DisplayOffset directive sshd_config file 62 sshd_config file 63 UsePAM directive X11Forwarding directive sshd_config file 63 sshd_config file 63 UsePrivilegedPort keyword X11UseLocalhost directive ssh_config file 104 sshd_config file 64 UsePrivilegeSeparation directive XAuthLocation directive sshd_config file 63 sshd_config file 64 User keyword XAuthLocation keyword ssh_config file 105 ssh_config file 105 user restrictions xterm command 162 OpenSSH secure gateway 175 zlib 23